brace
browserify compatible version of the ace editor.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:snippets/html.js | AI (source-diff): Ace editor snippet definition file with long string literals, not obfuscated code. Pattern is inherent to brace's snippet files. | ai | |
| source-diff | obfuscated-file:snippets/javascript.js | AI (source-diff): Ace editor snippet definition file with long string literals, not obfuscated code. Pattern is inherent to brace's snippet files. | ai | |
| source-diff | obfuscated-file:snippets/php.js | AI (source-diff): Ace editor snippet definition file with long string literals, not obfuscated code. Pattern is inherent to brace's snippet files. | ai | |
| source-diff | obfuscated-file:snippets/lsl.js | AI (source-diff): Ace editor snippet definition file with long string literals, not obfuscated code. Pattern is inherent to brace's snippet files. | ai | |
| source-diff | obfuscated-file:snippets/perl.js | AI (source-diff): Ace editor snippet definition file with long string literals, not obfuscated code. Pattern is inherent to brace's snippet files. | ai | |
| source-diff | obfuscated-file:snippets/java.js | AI (source-diff): Ace editor snippet definition file with long string literals, not obfuscated code. Pattern is inherent to brace's snippet files. | ai | |
| source-diff | obfuscated-file:worker/xml.js | AI (source-diff): Minified Ace editor XML web worker bundle — standard build output for brace's purpose of packaging Ace editor components. | ai | |
| source-diff | obfuscated-file:mode/handlebars.js | AI (source-diff): Ace editor mode definition file with long concatenated highlight rules — standard build artifact, not obfuscation. | ai | |
| source-diff | obfuscated-file:mode/soy_template.js | AI (source-diff): Ace editor mode definition file (BSD-licensed Ajax.org) with long highlight rule lines — standard build artifact. | ai | |
| source-diff | obfuscated-file:mode/mask.js | AI (source-diff): Ace editor mode definition file with long syntax-highlighting rule lines; standard pattern for all Ace mode files in this package. | ai | |
| source-diff | obfuscated-file:mode/sqlserver.js | AI (source-diff): Bundled Ace editor SQL Server mode file; long lines from syntax definitions, not obfuscation. | ai | |
| source-diff | obfuscated-file:mode/html_elixir.js | AI (source-diff): Bundled Ace editor mode file with long CSS property lists; standard format for this package, not obfuscation. | ai | |
| source-diff | obfuscated-file:theme/iplastic.js | AI (source-diff): Bundled Ace editor theme with inline CSS; standard format for brace themes, not obfuscation. | ai | |
| source-diff | obfuscated-file:mode/swig.js | AI (source-diff): Bundled Ace editor Swig mode file with CSS property lists; standard format, not obfuscation. | ai | |
| source-diff | obfuscated-file:worker/html.js | AI (source-diff): Bundled/minified Ace editor HTML worker module; brace's purpose is to package Ace components as CommonJS modules. Stable for this package. | ai | |
| source-diff | obfuscated-file:mode/assembly_x86.js | AI (source-diff): Standard Ace editor concatenated mode file; long lines from build output. | ai | |
| source-diff | obfuscated-file:mode/mysql.js | AI (source-diff): Standard Ace editor concatenated mode file with long lines; not obfuscated. BSD license header + ace.define pattern. | ai | |
| source-diff | obfuscated-file:mode/jsoniq.js | AI (source-diff): Standard Ace editor concatenated mode file; long lines from build output, not obfuscation. | ai | |
| source-diff | obfuscated-file:mode/html_ruby.js | AI (source-diff): Standard Ace editor concatenated mode file; long lines from build output. | ai | |
| source-diff | obfuscated-file:mode/ejs.js | AI (source-diff): Standard Ace editor concatenated mode file; long lines from build output. | ai | |
| source-diff | obfuscated-file:mode/d.js | AI (source-diff): Standard Ace editor concatenated mode file; long lines from build output. | ai | |
| source-diff | obfuscated-file:mode/twig.js | AI (source-diff): Standard Ace editor concatenated mode file; long lines from build output. | ai | |
| source-diff | obfuscated-file:mode/autohotkey.js | AI (source-diff): Standard Ace editor concatenated mode file; long lines from build output. | ai | |
| source-diff | obfuscated-file:mode/actionscript.js | AI (source-diff): Standard Ace editor concatenated mode file; long lines from build output. | ai | |
| source-diff | net-exec-file:worker/javascript.js | AI (source-diff): importScripts() is standard Web Worker API used by Ace editor workers; not malicious. | ai | |
| source-diff | obfuscated-file:worker/coffee.js | AI (source-diff): Minified Ace editor CoffeeScript worker bundle; standard pattern for shipping web workers as string modules in brace. | ai | |
| source-diff | net-exec-file:worker/css.js | AI (source-diff): importScripts() is standard Web Worker API used by Ace editor workers; not malicious network activity. | ai | |
| source-diff | net-exec-file:workersrc/css.js | AI (source-diff): importScripts() is standard Web Worker API; eval in CSS parser for string literals is legitimate. | ai | |
| source-diff | net-exec-file:workersrc/javascript.js | AI (source-diff): importScripts() is standard Web Worker API used by Ace editor workers; not malicious. | ai | |
| source-diff | obfuscated-file:workersrc/xquery.js | AI (source-diff): Ace editor XQuery worker source; long lines from bundled parser, not obfuscation. | ai | |
| source-diff | obfuscated-file:workersrc/coffee.js | AI (source-diff): Ace editor worker source file; long lines from bundled CoffeeScript compiler, not obfuscation. | ai | |
| source-diff | obfuscated-file:worker/lua.js | AI (source-diff): Minified Ace editor Lua worker bundle; standard web worker shipping pattern. | ai | |
| source-diff | obfuscated-file:worker/json.js | AI (source-diff): Minified Ace editor JSON worker bundle; standard web worker shipping pattern. | ai | |
| source-diff | obfuscated-file:worker/javascript.js | AI (source-diff): Minified Ace editor JavaScript worker bundle; standard web worker shipping pattern. | ai | |
| source-diff | obfuscated-file:worker/css.js | AI (source-diff): Minified Ace editor CSS worker bundle; standard pattern for shipping web workers as string modules in brace. | ai | |
| source-diff | obfuscated-file:mode/mel.js | AI (source-diff): Ace editor MEL syntax mode file; long lines are regex keyword lists for syntax highlighting, not obfuscation. | ai | |
| source-diff | obfuscated-file:mode/smarty.js | AI (source-diff): Ace editor Smarty syntax mode file; long lines are highlight rules, not obfuscation. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Adding new Ace editor language modes between versions is expected for this package. | ai | |
| source-diff | encoded-string-file:index.js | AI (source-diff): The 'encoded strings' are Unicode character range tables (Mn, M categories) used by the Ace editor for syntax highlighting. Not obfuscated payloads. | ai | |
| npm-metadata | url-dep:w3c-blob | AI (npm-metadata): URL dep points to the same maintainer's (thlorenz) own GitHub repo. Same-author URL dep is low risk for this established package. | ai | |
| dependencies | unvetted-dep:w3c-blob | AI (dependencies): w3c-blob is owned by the same maintainer (thlorenz); unvetted-dep flag is a stable false positive for this package. | ai | |
| semgrep | semgrep:etc-passwd-access | AI (semgrep): Java snippet text for the Ace editor contains /etc/passwd as example content, not actual file access. | ai | |
| semgrep | semgrep:dll-injection-apis | AI (semgrep): Ace editor mode file for AutoHotkey contains language keywords for syntax highlighting, not actual DLL injection calls. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): Ace editor's old_ie.js compatibility layer uses eval for monkey-patching; inherited from upstream Ace codebase. | ai |
Versions (showing 20 of 20)
| Version | Deps | Published |
|---|---|---|
| 0.11.1 | 0 / 5 | |
| 0.11.0 | 0 / 5 | |
| 0.10.0 | 1 / 5 | |
| 0.9.1 | 1 / 5 | |
| 0.9.0 | 1 / 5 | |
| 0.8.0 | 1 / 5 | |
| 0.7.0 | 1 / 5 | |
| 0.6.0 | 1 / 5 | |
| 0.5.1 | 1 / 5 | |
| 0.5.0 | 1 / 5 | |
| 0.4.1 | 1 / 5 | |
| 0.4.0 | 1 / 5 | |
| 0.3.0 | 1 / 5 | |
| 0.2.1 | 1 / 5 | |
| 0.2.0 | 1 / 4 | |
| 0.1.3 | 1 / 4 | |
| 0.1.2 | 1 / 4 | |
| 0.1.1 | 1 / 4 | |
| 0.1.0 | 0 / 4 | |
| 0.0.1 | 0 / 0 |
v0.11.1
3 findingsDLL injection API detected — potential process injection attack Source: https://github.com/thlorenz/brace/blob/3a00c5d59777f9d826841178e1eb36694177f5e6/mode/autohotkey.js#L10 8 | var autoItKeywords = 'And|ByRef|Case|Const|ContinueCase|ContinueLoop|Default|Dim|Do|Else|ElseIf|EndFunc|EndIf|EndSel 9 | 'Abs|ACos|AdlibDisable|AdlibEnable|Asc|AscW|ASin|Assign|ATan|AutoItSetOption|AutoItWinGetTitle|AutoItWinSetTitle > 10 | 'ArrayAdd|ArrayBinarySearch|ArrayConcatenate|ArrayDelete|ArrayDisplay|ArrayFindAll|ArrayInsert|ArrayMax|ArrayMax 11 | 'ce|comments-end|comments-start|cs|include|include-once|NoTrayIcon|RequireAdmin|' + 12 | 'AutoIt3Wrapper_Au3Check_Parameters|AutoIt3Wrapper_Au3Check_Stop_OnWarning|AutoIt3Wrapper_Change2CUI|AutoIt3Wrap
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/thlorenz/brace/blob/3a00c5d59777f9d826841178e1eb36694177f5e6/snippets/java.js#L1 > 1 | ace.define("ace/snippets/java",["require","exports","module"],function(e,t,n){"use strict";t.snippetText='## Access Modi
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.0
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.0
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.0
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.0
10 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.0
12 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.